Data breaches and ransomware hits can land companies in regulatory trouble and open them up to class action litigation, underscoring the need for robust cybersecurity practices and preparedness programs, attorneys say.
Biden’s warning was primarily focused on critical infrastructure—telecommunications providers, gas pipelines, water systems, and the like—but businesses of all stripes can be paralyzed by such attacks, landing them in reputational and legal hot water.
1. What liability do companies face?
Businesses whose systems are breached may be subject to state data breach reporting requirements, depending on the scope of the hit and the type of impacted data.
They also may face scrutiny from federal and state regulators if it comes to light that their security systems aren’t up to snuff. The Federal Trade Commission, for example, has ordered consumer-facing companies to pay hefty fines for failing to protect sensitive personal information from unauthorized access.
Consumers often sue companies in the wake of high-profile hacks, accusing them of failing to adopt adequate security standards. Breached personal information and a loss of privacy is a common claim, but plaintiffs’ attorneys have sought more creative avenues for post-breach litigation, such as claiming harm from heightened prices at the pump following a cyberattack against Colonial Pipeline Co. last spring.
2. How can businesses protect themselves?
Patching known vulnerabilities is one way to reduce the risk of being hit by state-affiliated ransomware gangs and other hackers. The Cybersecurity & Infrastructure Security Agency maintains a list of such weaknesses that it regularly updates.
Two-factor authentication and the limiting of access to key systems to relevant individuals can help minimize the risk of intrusion and limit the spread of such attacks if bad actors do break in.
Network segmentation—building “compartments” so that if one part of an environment or network is affected, the rest of the network may be spared—is another effective tool to minimize the extent of damage following an intrusion.
3. What has the government said so far?
CISA Director Jen Easterly warned U.S. companies to prepare the day Russia began its invasion of Ukraine, and Energy Secretary Jennifer Granholm urged energy executives to prepare themselves to the “highest possible level.” Federal agencies briefed more than 100 companies on the elevated threat of cyberattacks last week, according to Anne Neuberger, the deputy national security adviser for cyber and emerging technology.
While the Biden administration has put out little specific guidance about preparing for Russian hacks, the bottom line has been clear: Secure your systems and gird your company for cyber threats.
Biden recently OK’d new requirements for critical infrastructure companies that would give them 72 hours to report a hack and 24 hours to report a ransomware payment to the government once rules are in place.
4. What should companies do if they’re hit?
Responding to a breach is easier when companies have done the legwork beforehand, attorneys say.
Ransomware response plans that are updated regularly and tabletop exercises—simulations of actual breaches—that are conducted frequently can help companies hit the ground running when they find out they’ve been hit by a cyberattack.
Companies should also coordinate with agencies such as the Federal Bureau of Investigation, which can help mitigate losses in the wake of an attack and can help recover ransoms, as was the case with Colonial Pipeline.
Biden Sees Risk of Russian Cyberattack on U.S. as Sanctions Bite
Geopolitical Unrest, Cyberattacks Spotlight Board Duties
Russian Cyber Threats Prompt Water Systems to Prepare for Hacks
Hacking Risk Shadows U.S. Business as Russia Threatens Critics
Water, Commercial Companies Face More Urgent Reporting of Hacks
Ransomware Rise Means Greater Regulatory, Legal Risk for Victims
Insurance, Regulatory Ripples Likely After Colonial Pipeline Hack